GDPR

Data Protection

Objectives of our Policy and Procedures

MY Trust holds large amounts of confidential information and places special emphasis on information quality, security and management. It is our policy to make sure that people have no surprises about how information about them is collected, held, used and destroyed. It is also our policy that the information and intellectual property belonging to our organisation is treated with the respect it deserves.

It is the responsibility of all our staff, volunteers and Trustees to protect confidential information from inappropriate disclosure and to take every measure to ensure that person identifiable information is not made available to unauthorised persons. This applies to manual and computer records and also conversations about support or interventions with young people and/or staff. We expect this policy and accompanying procedures to become part of the DNA of all our staff, volunteers and Trustees. As such individuals, our partners and our organisation itself should be reassured by our commitment and actions.

Our policy and accompanying procedures have two core objectives:

Objective 1: To ensure the information about service users, our staff and volunteers, and the intellectual property of our organisation is treated respectfully and within the law, regulation and stated expectations.

Objective 2: To provide clear, transparent guidance and procedures for our staff and volunteers to manage their work practically in accordance with this policy.

Policy Statement

Confidentiality is a cornerstone of practice within MY Trust and the relationship between a member of our staff and a young person depends on it. Young people and families need to be able to tell the truth about deeply personal matters, knowing that this information will not be improperly managed or disclosed. Similarly the relationship between MY Trust as an employer and our staff and volunteers also is one based on trust and confidentiality.

People using our services as well as our staff and volunteers deserve a lot more than just information security. Individuals need to know that those responsible for working with them and our organisation more generally collects, manages and shares information reliably and effectively. Confidential information about an individual must not leak but it may well need to be shared in order to provide a seamless integrated service to a young person/family or effective management and support for an employee.

The General Data Protection Regulation (GDPR), 2018 protects individuals against the misuse of personal data and may cover both manual and electronic records. All records held on computer or in manual files fall within the GDPR, unless the data in anonymised.

Through this policy, we ensure that personal data is:

Processed with lawfulness, fairness and transparency

Is only processed for specific, explicit and legitimate purposes (purpose limitations)

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

Accurate and where necessary kept up to date (accuracy)

Kept in a form which permits identification of data subjects for no longer than necessary (storage limitations), and

Is processed in a manner that ensures appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage (integrity and confidentiality)

Through this policy, we ensure that data is processed lawfully under one of these conditions.

Consent: the individual has given clear consent to process their data for a specific purpose

Contract: the processing is necessary for a contract with the individual, or because they asked us to take specific steps before entering into a contract

Legal Obligation: the processing is necessary for us to comply with the law.

Vital Interests: the processing is necessary to protect someone’s life

Public Task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law, or

Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

Special Category Data

Criminal Offence Data

Through this policy, we ensure that data is only processed following these rights for individuals, depending on the lawful basis for processing.

The right to be informed

The right to access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object, and

Rights in relation to automated decision making and profiling

For employment purposes, the most important right is our employees’ right to know what personal data is held about them and to have access to it.

It is our view that for too long, people have hidden behind the relative obscurity of Data Protection Acts or alleged rules of information governance in order to avoid taking decisions that would benefit service users. Through this policy and procedures we strike the balance between confidentiality, information security and information sharing to ensure effective support for service users and employment practice.

At MY Trust we are equally committed to ensuring that service users’ wishes are respected in relation to how their information is used. While people are unlikely to object to sharing confidential information that enables better outcomes for them personally, there may be some who do not want it used for purposes such as research or reshaping services to achieve better services more generally. Our policy and procedures support the individual’s right to object and sets out how we will respect this.

We will achieve our policy through Eleven Rules that provide the thread through all of our work and employment practice.

For all Individuals including Service Users:

Rule 1: Personal information will be treated confidentially and respectfully

Rule 2: Our staff will share confidential information when it is needed for the safe and effective support of an individual

Rule 3: Data used to target prevention and intervention will be robust

Rule 4: Information that is shared for the benefit of the community will be anonymised

Rule 9: We have robust practices for our storage, retention and destruction of information

Rule 10: We have rigorous but proportionate accountabilities and monitoring to ensure our rules are followed

Rule 11: Allegations of or actual breaches of data protection or confidentiality will be managed and investigated fairly and promptly

Definitions

GDPR Principles

The Regulation requires that personal data:

Shall be processed fairly and lawfully

Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose

Shall be accurate and where necessary kept up to date

Shall not be kept longer than is necessary for that purpose

Processed in accordance with the rights of the data subject

Appropriate measures are undertaken against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data

Shall not be transferred to a country or territory outside of the European Economic Area unless that country/territory assures standards of data processing

Caldicott Principles

We will apply the six general principles of good practice as follows:

Justify the purpose

Do not use person identifiable information unless absolutely necessary

Use the minimum person identifiable information

Access to person identifiable information should be on a strict need to know basis

Everyone should be aware of their responsibilities

Understand and comply with the law

Confidential Information

Confidential information can be anything that relates to young people, staff, (including volunteers, temporary and agency staff, student placements), their family or friends. It also includes any MY Trust business sensitive information.

Information may be held on MY Trust servers, client databases, computer file or printout, CDs, portable devices such as laptops, tablets, mobile phones, photographs, video/digital cameras and even heard by word of mouth.

Personal information

Personal information is information which is about a living person and affects that person’s privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature.

Person identifiable information is anything that contains the means to identify a person (eg, name, address, postcode, date of birth, NI number, IP address). Even a visual image (eg photo) is sufficient to identify an individual.

Special Categories of Personal Data

The GDPR refers to sensitive personal data as “special categories of personal data”. Special Categories of Personal Data is personal data consisting of information related to:

Certain categories of information are legally defined as personally sensitive and should be most carefully protected by additional requirements stated in legislation (eg; information regarding sexually transmitted diseases, HIV, transgender procedures and termination of pregnancy).

Processing

The term ‘processing’ is used within the GDPR. It applies to a range of activities including the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal.

Verification and Vetting

‘Verification’ covers the process of checking that details supplied by job applicants (eg qualifications) are accurate and complete. Verification therefore is limited to checking of information that is sought in a job application or provided by an applicant; this includes taking up references or use of verification through the Disclosure & Barring Service. Vetting covers any activity we undertake to make our own enquiries from a third party about a job applicant’s background and circumstances. It goes beyond the verification of details as per para (v) above.

Legislative and Regulatory Basis

Our policy fits with and is compliant with the following legislation and regulation:

In October 2016, Dan, An Adviser at MYT, saw potential for the park to become a fantastic social action project and a great opportunity for young people to use Luton Millennium Green as part of the volunteering section for their DofE award.